Analysis of Payment Service Provider SDKs in Android
| Title | Analysis of Payment Service Provider SDKs in Android |
| Publication Type | Conference Paper |
| Year of Publication | 2022 |
| Authors | Samin Yaseer Mahmud, K. Virgil English, Seaver Thorn, William Enck, Adam Oest, Muhammad Saad |
| Conference Name | Annual Computer Security Applications Conference (ACSAC) |
| Date Published | 12/2022 |
| Conference Location | Austin, Texas |
| Keywords | 2022: October, NCSU, Policy-Governed Secure Collaboration, Reasoning about Accidental and Malicious Misuse via Formal Methods |
| Abstract | Payment Service Providers (PSPs) provide software development toolkits (SDKs) for integrating complex payment processing code into applications. Security weaknesses in payment SDKs can impact thousands of applications. In this work, we propose AARDroid for statically assessing payment SDKs against OWASP's MASVS industry standard for mobile application security. In creating AARDroid, we adapted application-level requirements and program analysis tools for SDK-specific analysis, tailoring dataflow analysis for SDKs using domain-specific ontologies to infer the security semantics of application programming interfaces (APIs). We apply AARDroid to 50 payment SDKs and discover security weaknesses including saving unencrypted credit card information to files, use of insecure cryptographic primitives, insecure input methods for credit card information, and insecure use of WebViews. These results demonstrate the value of applying security analysis at the SDK granularity to prevent the widespread deployment of insecure code. |
| Citation Key | node-89106 |
| Refereed Designation | Refereed |